Tamper-evident travel devices equipped with secure re-image file (s)

ABSTRACT

A method of enhancing travel security features associated with a mobile device is provided. The method may include operating a time clock to store a start device confiscation time in a memory and to store an end device confiscation time in the memory, monitoring the mobile device to detect tampering occurring between the start device confiscation time and the end device confiscation time, and in response to the detecting of tampering, prompting the user for a secure identifier. Upon receipt of the secure identifier, the method may include opening a secure i/o pathway to a re-image file. The secure i/o pathway preferably enables execution of an executable re-image file. The re-image file may be used to re-image a software image of the mobile device. The re-image file may contain a pre-tampered image of the mobile device.

FIELD OF TECHNOLOGY

This disclosure relates to trusted travel devices.

BACKGROUND

When a person is travelling, one or more of his devices may be removedfrom his possession for investigation. Such removal may includeinspection. Such removal may include tampering. Such tampering mayinclude installing wire-tapping applications on the mobile device. Suchtampering may involve installing other listening or logging devices onthe mobile device.

Various conventional approaches exist to responding to suchconfiscation, tampering and installation of such listening devices.These approaches include browser containerization, virtual sandbox,etc., in order to allow for continued secure web interaction duringtravel. As technology develops further, it is important to continue toimprove mobile devices, and methods for using the mobile devices, thatare secure.

Further, it would be desirable to provide systems and methods thatmitigate the possibility of breach of mobile device security.

It would be further desirable to provide systems and methods thatidentify the occurrence of such tampering and/or other breach.

Assuming breach, it would be desirable to provide systems and methodsthat can remediate a post-breach condition.

SUMMARY OF THE DISCLOSURE

It is an object of this disclosure to provide systems and methods thatmitigate the possibility of such breach.

It is an object of this disclosure to provide systems and methods thatidentify the occurrence of such tampering and/or other breach.

It is an object of this disclosure to provide systems and methods thatcan remediate a post-breach condition.

A mobile device including enhanced travel security features is provided.The mobile device may include a memory and a settable time clock. Thetime clock preferably operates to store a start device confiscation timein the memory and to store an end device confiscation time in thememory.

In some embodiments, the mobile device may include a button or sensorthat renders the device inoperable for a set period of time and/orrequires codes to unlock the device. In certain embodiments, input ofinvalid codes may render the device inoperable, the data within thedevice unrecoverable or both after a specific number of unsuccessfulattempts.

In some embodiments, codes for user input may be part of a multifactorauthentication sequence. Such a multifactor authentication sequence mayinclude input of correct code(s), a successful login, and/or detectionof a pre-authorized RFID or pairing with a pre-authorized Bluetoothdevice.

The mobile device may also include at least one monitor device. Themonitor device may detect tampering with the mobile device. Thetampering may occur between the start device confiscation time and theend device confiscation time.

The mobile device may also include an executable re-image file. There-image file may be configured to re-image, upon a command from themobile device, a software image of the mobile device. The re-image filemay preferably be stored in the memory prior to the start deviceconfiscation time.

The mobile device may also include a secure i/o pathway through thememory to the re-image file. The secure i/o pathway may be unsecured atan i/o point to the memory but secure at an i/o point within the memory.The i/o point within the memory may provide a traversable gateway to there-image file.

After the end device confiscation time and in response to the detectingof said tampering, the mobile device preferably prompts the user for asecure identifier. Upon receipt of the secure identifier, the mobiledevice may open the traversable gateway and execute the re-image file.

In some embodiments, the mobile device may allow for inspection showinguser-configured information. This user-configured information may or maynot reflect the true state of the mobile device. This information shouldpreferably be provided from a functionally separate container—i.e., acontainer that exists and functions preferably separate and apart fromthe core container of the mobile device. Such a mode ofself-configurable display preferably provides an appearance of havingcomplied without disclosing secure information. In this mode, securedinformation is preferably not accessible to a third party.

BRIEF DESCRIPTION OF THE DRAWINGS

The objects and advantages of the invention will be apparent uponconsideration of the following detailed description, taken inconjunction with the accompanying drawings, in which like referencecharacters refer to like parts throughout, and in which:

FIG. 1 is a schematic diagram of a mobile device in accordance with theprinciples of the disclosure;

FIG. 2 is another schematic diagram of a mobile device in accordancewith the principles of the disclosure;

FIG. 3 is a timing diagram of mobile device clock in accordance with theprinciples of the disclosure;

FIG. 4 are timing diagrams of an exemplary network traffic monitor andan exemplary bandwidth usage monitor in accordance with the principlesof the disclosure;

FIG. 5 is a timing diagram of a central processing unit (CPU) usagemonitor in accordance with the principles of the disclosure;

FIG. 6 is a schematic diagram of memory for use in systems and/ormethods in accordance with the principles of the disclosure;

FIG. 7 is another schematic diagram of memory for use in systems and/ormethods in accordance with the principles of the disclosure;

FIG. 8 is a mobile device having a port, and an actuation device forlocking the port, in accordance with the principles of the disclosure;and

FIG. 9 is a mobile device having a port, and a wirelessly-triggerabledevice for locking the port, in accordance with the principles of thedisclosure.

DETAILED DESCRIPTION

Breach protection according to the embodiments may include the abilityto lock down one or more ports during confiscation. Such lock-down maypreferably be implemented, in certain embodiments, by toggling alock-down switch. Such port lock-down can protect against a prospectivetamperer having access to the port(s) that would allow tampering.

In place of a switch, or complementary thereto, other embodiments mayinclude an internal sensor that detects uncharacteristic rough handlingof the mobile device, greater than a pre-determined distance ofseparation from an RFID chip or Bluetooth device, or unauthorizedattempt(s) to access information by physical or digital means.

Such toggling can be implemented using a hard-wired switch that presentson the exterior of the mobile device. Such a hard-wired switch maymechanically disconnect the internal components of the device from theport(s) that may be used for tampering.

Such toggling can be implemented using a wireless capable device. Thewireless capable device may be configured to send a wireless signal tothe mobile device. The wireless signal may cause an internaldisconnection, such as a software disconnection or hardwaredisconnection, of the port(s)—thereby blocking access of a prospectivetamperer to the internal workings of the mobile device.

In certain embodiments of the disclosure, an audio and/or visual alarmcan indicate the past occurrence of a breach using a strobe on device—orat remote location. Such a breach may include unauthorized electroniccommunications with the mobile device. Such a breach may includetampering with the electronic components of the mobile device. Such abreach may include implanting a wire-tapping device, a text-tappingdevice or any other tampering device within the mobile device hardwareand/or software.

In certain embodiments, multi-factor authentication, such a password, aOne-Time-Password (OTP), a biometric characteristic, a passphrase orother authentication may be required to access the device during travel.

Other systems and methods for preventing breach may include monitoringthe device during the period of confiscation. Such monitoring mayinclude the state of the machine, or some aspect of the machine. Suchmonitoring may include monitoring and recording performance of certainaspects of the machine during confiscation. Part of the monitoring mayinclude using the phone clock for capturing the window of time ofconfiscation. Thereafter, the device may be configured to reviewperformance history of a CPU usage monitor, a bandwidth monitor, anetwork traffic monitor, a website presentation monitor or otherrelevant monitor to identify device tampering during confiscation.

In some embodiments, device tampering may be linked to the detection ofanomalous behavior derived from the monitoring of one of the listedmonitors.

When breach occurs, some embodiments of the disclosure may involve ahard-wired mechanism that mitigates the effects of the breach. Thehard-wired mechanism may reside in the device. The hard-wired mechanismmay provide the ability to re-image the device post-breach.

The re-image is preferably hard-wired to a pre-travel image. There-image may be pre-loaded in a pre-determined, secure, location in thememory. The re-image may include a signature lockdown file. Re-imagingthe device to a pre-travel state may preferably eliminate the effects ofany tampering.

In some embodiments of the invention, integrity verification informationmay also be set up in the pre-determined, secure, location in the file.As such, the location in the memory may contain hardware and/or softwarethat preferably cannot be overwritten which contains biometricinformation, calendar and scheduling information, online-offline timinginformation and/or any other integrity verification information or otherrelevant information.

In some embodiments—the software associated with integrity informationmay be secured by encryption, hashing algorithms, distributed ledgerssuch as blockchains or any other suitable security measures. In certainembodiments, such a blockchain may be protected by limiting write accessto one or more secure locations on the chain, while allowing read accessfrom numerous locations on the chain.

Hardware protection for such overwriting may include placing epoxy onthe write-access portions of the solder traces and/or the chipsthemselves that include the secure information. As such, gaining writeaccess to such mechanically protected areas would require a removal ofthe epoxy, or other protective fixate. This removal would causedestruction of the system prior to allowing the system to be compromisedby tamperer.

In certain embodiments, the device may capture the state of the machineand check the state of the machine prior to and after device inspection.This may be considered ⋅mobile threat defense⋅ technology. Suchtechnology may include the capability to detect and inform when asecurity breach has occurred during confiscation. This information maybe derived from the delta observed between the pre- andpost-confiscation machine.

Certain embodiments of the disclosure may also include location-basedservices to help provide additional information, reminders or socialdistancing, etc. These embodiments may also include sending pro-activenotifications to travelers.

A mobile device according to the disclosures includes enhanced travelsecurity features. The mobile device includes a memory and a settabletime clock. The time clock preferably operates to store a start deviceconfiscation time in the memory and to store an end device confiscationtime in the memory.

The mobile device includes at least one monitor device. The monitordevice may act to detect tampering with the mobile device. The tamperingmay occur between the start device confiscation time and the end deviceconfiscation time.

The mobile device may also include an executable re-image file. Theimage file may be used to re-image, upon a command from the mobiledevice, a software image of the mobile device. The re-image file may bestored in the memory prior to the start device confiscation time.

The mobile device may also include a secure i/o pathway through thememory to the re-image file. After the end device confiscation time andin response to the detecting of the tampering, the mobile device mayprompt the user for a secure identifier. Upon receipt of the secureidentifier, the mobile device may open the secure i/o pathway andexecute the re-image file.

In some embodiments, the secure i/o pathway may be traversable only inresponse to an input to the mobile device of a user biometric parameter.

In some embodiments, the secure i/o pathway may be traversable only inresponse to an input to the mobile device of a one-time password (OTP).

In other embodiments, the secure i/o pathway may be traversable only inresponse to an input to the mobile device of a user PersonalIdentification Number (PIN). In yet other embodiments, the secure i/opathway may be traversable in response to a combination of an input oftwo or more of a user biometric parameter, a one-time password (OTP), apassphrase and a personal identification number (PIN).

In certain embodiments, the mobile device may include an externalcommunications port and a toggleable communications port lock. Thetoggleable port lock may be used to lock down communications through theexternal communications port.

In some embodiments, the toggleable port lock may be a hardware devicethat presents, at least partially, on an external housing of the mobiledevice.

In other embodiments, the toggleable port lock may be a software devicethat is toggleable using a remote, wirelessly-enabled, port lock signalgenerating device.

Other embodiments may include a system for increasing security of mobiledevices. The system and/or the mobile device may include enhanced travelsecurity features.

The mobile device may include a memory and a settable time clock. Thesettable time clock may operate to store a start device confiscationtime in the memory and to store an end device confiscation time in thememory. At least one monitor device selected from the group consistingof a network traffic monitor device, a bandwidth usage monitor deviceand a central processing usage monitor device may be used to record theactivity between the start device confiscation time and the end deviceconfiscation time in the memory. The monitor device may flag ananomalous device condition that occurred between the start deviceconfiscation time and the end device confiscation time.

In some embodiments, the start device confiscation time and the enddevice confiscation time is determined by user command. That is tosay—the user may actuate or otherwise initiate the operation of theclock in order to start the operation of the clock at the beginning ofthe confiscation time. The user may also, under certain conditions or incertain embodiments, actuate or otherwise terminate the operation of theclock in order to record the end point the confiscation time. The clockinitiate command may also initiate operation of one or more devicemonitors of the types of device monitors set forth herein.

In some embodiments, the start device confiscation time may be fixed andrecorded when the mobile device passes a threshold distance from themobile device user. In some embodiments, the end device confiscationtime may be fixed and recorded when the mobile device returns within thethreshold distance of the user.

In certain embodiments, whether the mobile device passes the thresholddistance may be determined, at least in part, by calculating a distancebetween the mobile device and a second device, preferably mobile,located on the user's person.

In other embodiments, whether the mobile device passes the thresholddistance can be determined, at least in part, by calculating a traveltime following removal of the mobile device from the person of the useruntil the motion of the device ceases. The determination as to whetherthe mobile device returns within the threshold distance can, similar toabove, be calculated by determining a proximity of the mobile device tothe person of the user. In such embodiments, the determination as towhether the mobile device returns to the person of the user can beeffectuated by the retrieval, using the mobile device, of biometricsignals related to the user such as gait, sound, and/or any othersuitable biometric user-identifying signals.

In some embodiments, the flagging of the anomalous device condition mayinclude providing a visual indication on the mobile device of theoccurrence of the anomalous device condition.

In certain embodiments, the anomalous device condition may correspond toinstallation of a snooping application on the mobile device. This mayoccur during the confiscation of the device.

In some embodiments, the anomalous device condition may correspond toinstallation of a wire-tapping application, text-intercepting or e-mailintercepting application (or hardware device) installed on the mobiledevice. This may occur during the confiscation of the device.

A mobile device performance review application may be implemented fordetermining whether a current device performance status indicates thepast occurrence of the anomalous device condition. For example, if themobile device performance review application determines the pastoccurrence of the anomalous device condition, the application may querywhether the anomalous device condition occurred between the start deviceconfiscation time and the end device confiscation time.

Illustrative embodiments of apparatus and methods in accordance with theprinciples of the invention will now be described with reference to theaccompanying drawings, which form a part hereof. It is to be understoodthat other embodiments may be utilized and structural, functional andprocedural modifications may be made without departing from the scopeand spirit of the present invention.

The drawings show illustrative features of apparatus and methods inaccordance with the principles of the invention. The features areillustrated in the context of selected embodiments. It will beunderstood that features shown in connection with one of the embodimentsmay be practiced in accordance with the principles of the inventionalong with features shown in connection with another of the embodiments.

Apparatus and methods described herein are illustrative. Apparatus andmethods of the invention may involve some or all of the features of theillustrative apparatus and/or some or all of the steps of theillustrative methods. The steps of the methods may be performed in anorder other than the order shown or described herein. Some embodimentsmay omit steps shown or described in connection with the illustrativemethods. Some embodiments may include steps that are not shown ordescribed in connection with the illustrative methods, but rather shownor described in a different portion of the specification.

One of ordinary skill in the art will appreciate that the steps shownand described herein may be performed in other than the recited orderand that one or more steps illustrated may be optional. The methods ofthe above-referenced embodiments may involve the use of any suitableelements, steps, computer-executable instructions, or computer-readabledata structures. In this regard, other embodiments are disclosed hereinas well that can be partially or wholly implemented on acomputer-readable medium, for example, by storing computer-executableinstructions or modules or by utilizing computer-readable datastructures.

FIG. 1 is a schematic diagram of a mobile device 102 in accordance withthe principles of the disclosure. Mobile device 102 preferably includesa screen 104.

FIG. 2 is another schematic diagram of a mobile device 202 in accordancewith the principles of the disclosure. Mobile device 202 preferablyincludes a memory 204, a CPU 206, and a device clock 208. It should benoted that each of the components described herein should preferably bein electronic communication with one another.

FIG. 3 is a timing diagram of a mobile device clock in accordance withthe principles of the disclosure. Temporary confiscation 302 shows atimeline of an exemplary confiscation that may occur in the setting of adomestic or foreign airport or a domestic or foreign customs office. Adevice clock timeline is shown at 304. The device clock 304 showsactivation of the confiscation time capture at time T₀ and de-activationof the confiscation time capture T₁. Activation at T₀ and de-activationat T₁ set the confiscation time capture 306 between T₀ and T₁. All ofthis information can be based on activation and de-activation of deviceclock 304.

In addition, device clock 304 may be monitored to determine whetherdevice clock 304 has either markedly slowed down or markedly speeded upduring the confiscation. One or more of such marked changes in theoperation of device clock 304 may, under certain circumstances, indicatetampering.

FIG. 4 are timing diagrams of an exemplary network traffic monitor 402and an exemplary bandwidth usage monitor 404 in accordance with theprinciples of the disclosure. It should be noted that informationderived from either of network traffic monitor 402 and the bandwidthusage monitor 404 may be used to determine whether an anomalous eventoccurred during confiscation time capture 406.

Network traffic monitor 402 shows an exemplary traffic in/traffic outanalysis. This information may be used to determine whether improperinformation, as characterized by a relatively high level of networkactivity, was transmitted or received during confiscation time capture406.

Bandwidth usage monitor 404 shows use of bandwidth capacity duringconfiscation time capture 406. It should be noted that a threshold level412 may be presented in order to enable systems and/or methods accordingto the disclosure to quantify bandwidth usage and what may be consideredan anomalous condition during the confiscation time capture 406.

FIG. 5 is a timing diagram of a central processing unit (CPU) usagemonitor 502 in accordance with the principles of the disclosure. Itshould be noted that a threshold level 512 may be presented in order toenable systems and/or methods according to the disclosure to quantifyCPU usage and to classify what may be considered an anomalous conditionduring the confiscation time capture 506.

FIG. 6 is a schematic diagram of memory 608 for use in systems and/ormethods in accordance with the principles of the disclosure. At 606,central I/O shows a connection to memory 608. Within memory 608, theremay also be a signature lock-down file 602.

Signature lock-down file 602 may preferably be a pre-confiscation imagefile. Such a file 602 may preferably be sealed off from the rest ofmemory by a hardware or software lock at 604. This lock protects the I/Oto the signature lock-down file. This lock may be opened by input of abiometric characteristic associated with the user. This lock may beopened by unique identifier known to, and input by, the user. This lockmay be opened by a one-time password transmitted to the user using acommunication channel other than the mobile device associated with theuser. This lock may be opened by a one-time password transmitted to theuser using a communication channel which forms part of the mobiledevice. This lock may be opened by a combination of more than one of thebiometric identifier, the password the OTP, or any other suitable secureinformation.

FIG. 7 is another schematic diagram of memory for use in systems and/ormethods in accordance with the principles of the disclosure. FIG. 7 issimilar to FIG. 6 in that memory 708, central I/O 706 and lock 704correspond to like elements in FIG. 6. In contrast to FIG. 6, FIG. 7does illustrate graphically that image 702 is a hard-wired pre-travelimage that may be relied on, post-tampering and post-reimaging, toreturn the device to its pre-travel image.

FIG. 8 is a mobile device 802 having a housing 802, a screen 804, a port806 and a toggleable switch 808. Switch 808 may preferably be used tolock port 806. For the purposes of this application the term “lock” maybe understood to mean preventing operation of port 806 such thatelectronic communications cannot pass through port 806. As such, allattempts at tampering through locked port 806 would not be successfulbecause no electronic communications would be allowed to pass throughport 806.

Switch 808, or any other suitable actuation device, may be used by auser to lock port 806. In certain embodiments, toggling of switch 808may obtain an on/off toggle of port 806 only when switch 808 is toggledin a pre-determined pattern. As such, indeterminate, non-pattern,toggling of switch 808 will not obtain any change of the operability ofport 806.

FIG. 9 shows a mobile device having a housing 902, a screen 904, a port906, an optional port block indicator 912, and a remote port togglingdevice 908. Wireless signal indicators are shown at 910.

Port 906 may be a wirelessly-lockable device. As such, port 906 may belocked remotely—e.g., by a wireless signal 910 generated by device 908.For example, when the mobile device is confiscated, the user can usedevice 908 to generate a wireless locking signal 910—thereby lockingport 906 from tampering. Furthermore, some embodiments of the inventionmay also include a port block indicator 912 that indicates that port 906is blocked.

Thus, systems and methods involving trusted travel devices have beenprovided. Persons skilled in the art will appreciate that the presentinvention can be practiced by other than the described embodiments,which are presented for purposes of illustration rather than oflimitation.

What is claimed is:
 1. A mobile device comprising enhanced travelsecurity features, the mobile device comprising: a memory; a settabletime clock, said time clock that operates to store a start deviceconfiscation time in the memory and to store an end device confiscationtime in the memory; at least one monitor device, said monitor device fordetecting tampering with the mobile device, the tampering occurringbetween the start device confiscation time and the end deviceconfiscation time; an executable re-image file for re-imaging, upon acommand from the mobile device, a software image of the mobile device,said re-image file stored in the memory prior to the start deviceconfiscation time; a secure i/o pathway through the memory to there-image file; wherein, after the end device confiscation time and inresponse to the detecting of said tampering, the mobile device promptsthe user for a secure identifier; and wherein, upon receipt of saidsecure identifier, said mobile device opens the secure i/o pathway andexecutes said re-image file.
 2. The mobile device of claim 1, whereinthe secure i/o pathway is traversable only in response to an input tothe mobile device of a user biometric parameter.
 3. The mobile device ofclaim 1, wherein the secure i/o pathway is traversable only in responseto an input to the mobile device of a one-time password (OTP).
 4. Themobile device of claim 1, wherein the secure i/o pathway is traversableonly in response to an input to the mobile device of a user PersonalIdentification Number (PIN).
 5. The mobile device of claim 1, whereinthe secure i/o pathway is traversable in response to a combination of aninput of two or more of a user biometric parameter, a one-time password(OTP) and a personal identification number (PIN).
 6. The mobile deviceof claim 1 further comprising an external communications port and atoggleable communications port lock, the toggleable port lock forlocking down communications through the external communications port. 7.The mobile device of claim 6, wherein the toggleable port lock is ahardware device that presents, at least partially, on an externalhousing of the mobile device.
 8. The mobile device of claim 6, whereinthe toggleable port lock is a software device that is toggleable using aremote, wirelessly-enabled, port lock signal generating device.
 9. Themobile device of claim 6, wherein the secure i/o pathway passes throughthe memory, is not secure at an i/o point to the memory, but is secureat an i/o point to the re-image file.
 10. The mobile device of claim 1,wherein at least one of the start device confiscation time and the enddevice confiscation time is determined by user command.
 11. The mobiledevice of claim 1, wherein the at least one monitoring device isselected from the group consisting of: a network traffic monitor device;a bandwidth usage monitor device; a battery performance monitor device;a website presentation monitor device; and a central processing usagemonitor device.
 12. A method of enhancing travel security featuresassociated with a mobile device, the method comprising: operating a timeclock to store a start device confiscation time in a memory and to storean end device confiscation time in the memory; monitoring the mobiledevice to detect tampering within the mobile device, the tamperingoccurring between the start device confiscation time and the end deviceconfiscation time; and after the end device confiscation time and inresponse to the detecting of said tampering, prompting the user for asecure identifier; upon receipt of said secure identifier, opening asecure i/o pathway to a re-image file, said secure i/o pathway thatenables execution of an executable re-image file, the re-image file forre-imaging a software image of the mobile device, said re-image filebeing stored in the memory, and containing a pre-tampered image of themobile device.
 13. The method of claim 1, wherein the secure i/o pathwayis traversable only in response to an input to the mobile device of auser biometric parameter.
 14. The method of claim 1, wherein the securei/o pathway is traversable only in response to an input to the mobiledevice of a one-time password (OTP).
 15. The method of claim 1, whereinthe secure i/o pathway is traversable only in response to an input tothe mobile device of a user Personal Identification Number (PIN). 16.The method of claim 1, wherein the secure i/o pathway is traversable inresponse to a combination of an input of two or more of a user biometricparameter, a one-time password (OTP) and a personal identificationnumber (PIN).
 17. The method of claim 12 further comprising receiving alock command, said lock command that toggles an external communicationsport, said toggling of said external communications port that locks downelectronic communications through the external communications port. 18.The method of claim 17, wherein said receiving a lock command comprisesreceiving said lock command on a hardware device, said hardware devicethat presents, at least partially, on an external housing of the mobiledevice.
 19. The mobile device of claim 18, wherein said receiving a lockcommand comprises receiving wireless lock command, said wireless lockgenerated by a remote, wirelessly-enabled, port lock signal generatingdevice.
 20. The method of claim 12, wherein the secure i/o pathway isnot-secure at an i/o point to the memory but is secure at an i/o pointto the re-image file.
 21. The method of claim 12, wherein at least oneof the start device confiscation time and the end device confiscationtime is determined by user command.
 22. The method of claim 12, whereinthe at least one monitoring device is selected from the group consistingof: a network traffic monitor device; a bandwidth usage monitor device;a battery performance monitor device; a website presentation monitordevice; and a central processing usage monitor device.
 23. A mobiledevice comprising enhanced travel security features, the mobile devicecomprising: a memory; a settable time clock, said time clock thatoperates to store a start device confiscation time in the memory and tostore an end device confiscation time in the memory; at least onemonitor device, said monitor device for detecting tampering with themobile device, the tampering occurring between the start deviceconfiscation time and the end device confiscation time; an executablere-image file for re-imaging, upon a command from the mobile device, asoftware image of the mobile device, said re-image file stored in thememory prior to the start device confiscation time; a secure i/o pathwaythrough the memory to the re-image file, the secure i/o pathway beingunsecured at an i/o point to the memory but secure at an i/o pointwithin the memory, the i/o point within the memory that provides atraversable gateway to the re-image file; wherein, after the end deviceconfiscation time and in response to the detecting of said tampering,the mobile device prompts the user for a secure identifier; and wherein,upon receipt of said secure identifier, said mobile device opens thetraversable gateway and executes said re-image file.